summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.bin/nc/nc.152
-rw-r--r--usr.bin/nc/netcat.c27
2 files changed, 48 insertions, 31 deletions
diff --git a/usr.bin/nc/nc.1 b/usr.bin/nc/nc.1
index 8cb96e8734f..461e9e41be9 100644
--- a/usr.bin/nc/nc.1
+++ b/usr.bin/nc/nc.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: nc.1,v 1.69 2015/09/11 21:07:01 beck Exp $
+.\" $OpenBSD: nc.1,v 1.70 2015/09/12 07:56:56 jmc Exp $
.\"
.\" Copyright (c) 1996 David Sacerdote
.\" All rights reserved.
@@ -25,7 +25,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: September 11 2015 $
+.Dd $Mdocdate: September 12 2015 $
.Dt NC 1
.Os
.Sh NAME
@@ -34,12 +34,17 @@
.Sh SYNOPSIS
.Nm nc
.Bk -words
-.Op Fl 46DdFhklNnrStUuvz
+.Op Fl 46cDdFhklNnrStUuvz
+.Op Fl C Ar certfile
+.Op Fl e Ar name
+.Op Fl H Ar hash
.Op Fl I Ar length
.Op Fl i Ar interval
+.Op Fl K Ar keyfile
.Op Fl O Ar length
.Op Fl P Ar proxy_username
.Op Fl p Ar source_port
+.Op Fl R Ar CAfile
.Op Fl s Ar source
.Op Fl T Ar keyword
.Op Fl V Ar rtable
@@ -98,17 +103,19 @@ to use IPv4 addresses only.
Forces
.Nm
to use IPv6 addresses only.
-.It Fl C Ar certificate_filename
+.It Fl C Ar certfile
Specifies the filename from which the public key part of the TLS
-certificate is loaded, in PEM format. May only be used with TLS.
+certificate is loaded, in PEM format.
+May only be used with TLS.
.It Fl c
-If using a TCP socket to connect or listen, use TLS. Illegal if not using TCP sockets.
+If using a TCP socket to connect or listen, use TLS.
+Illegal if not using TCP sockets.
.It Fl D
Enable debugging on the socket.
.It Fl d
Do not attempt to read from stdin.
.It Fl e Ar name
-specify the name that must be present in the peer certificate when using TLS.
+Specify the name that must be present in the peer certificate when using TLS.
Illegal if not using TLS.
.It Fl F
Pass the first connected socket using
@@ -125,7 +132,7 @@ using the
.Xr ssh_config 5
.Cm ProxyUseFdpass
option).
-.It Fl H Ar hash_string
+.It Fl H Ar hash
Specifies the required hash string of the peer certificate when using TLS.
The string format required is that used by
.Xr tls_peer_cert_hash 3 .
@@ -139,9 +146,10 @@ Specifies the size of the TCP receive buffer.
.It Fl i Ar interval
Specifies a delay time interval between lines of text sent and received.
Also causes a delay time between connections to multiple ports.
-.It Fl K Ar key_filename
+.It Fl K Ar keyfile
Specifies the filename from which the private key
-is loaded in PEM format. May only be used with TLS.
+is loaded in PEM format.
+May only be used with TLS.
.It Fl k
Forces
.Nm
@@ -188,10 +196,11 @@ should use, subject to privilege restrictions and availability.
It is an error to use this option in conjunction with the
.Fl l
option.
-.It Fl R Ar CA_filename
-Specifies the filename from which the root CA bundle for Certificate
-verification is loaded in pem format. Illegal if not using TLS.
-Default value is
+.It Fl R Ar CAfile
+Specifies the filename from which the root CA bundle for certificate
+verification is loaded, in PEM format.
+Illegal if not using TLS.
+The default is
.Pa /etc/ssl/cert.pem .
.It Fl r
Specifies that source and/or destination ports should be chosen randomly
@@ -214,14 +223,15 @@ For TLS options
.Ar keyword
may be one of
.Ar tlslegacy ,
-which allows legacy TLS protocols,
+which allows legacy TLS protocols;
.Ar noverify ,
-which disables certificate verification
+which disables certificate verification;
.Ar noname ,
-which disables certificate name checking, or
-.Ar clientcert,
-which requires a client certificate on incoming connections .
+which disables certificate name checking; or
+.Ar clientcert ,
+which requires a client certificate on incoming connections.
It is illegal to specify TLS options if not using TLS.
+.Pp
For IPv4 TOS value
.Ar keyword
may be one of
@@ -463,8 +473,8 @@ the source port, with a timeout of 5 seconds:
.Pp
.Dl $ nc -p 31337 -w 5 host.example.com 42
.Pp
-Open a TCP connection to port 443 of www.google.ca, and negotiate
-TLS. Check for a different name in the certificate for validation.
+Open a TCP connection to port 443 of www.google.ca, and negotiate TLS.
+Check for a different name in the certificate for validation.
.Pp
.Dl $ nc -v -c -e adsf.au.doubleclick.net www.google.ca 443
.Pp
diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c
index bbd8de05226..acb97870a0c 100644
--- a/usr.bin/nc/netcat.c
+++ b/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.134 2015/09/11 21:22:54 deraadt Exp $ */
+/* $OpenBSD: netcat.c,v 1.135 2015/09/12 07:56:56 jmc Exp $ */
/*
* Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
* Copyright (c) 2015 Bob Beck. All rights reserved.
@@ -1499,12 +1499,17 @@ help(void)
fprintf(stderr, "\tCommand Summary:\n\
\t-4 Use IPv4\n\
\t-6 Use IPv6\n\
+ \t-C certfile Public key file\n\
+ \t-c Use TLS\n\
\t-D Enable the debug socket option\n\
\t-d Detach from stdin\n\
+ \t-e name\t Required name in peer certificate\n\
\t-F Pass socket fd\n\
+ \t-H hash\t Hash string of peer certificate\n\
\t-h This help text\n\
\t-I length TCP receive buffer length\n\
- \t-i secs\t Delay interval for lines sent, ports scanned\n\
+ \t-i interval Delay interval for lines sent, ports scanned\n\
+ \t-K keyfile Private key file\n\
\t-k Keep inbound sockets open for multiple connects\n\
\t-l Listen mode, for inbound connects\n\
\t-N Shutdown the network socket after EOF on stdin\n\
@@ -1512,16 +1517,17 @@ help(void)
\t-O length TCP send buffer length\n\
\t-P proxyuser\tUsername for proxy authentication\n\
\t-p port\t Specify local port for remote connects\n\
+ \t-R CAfile CA bundle\n\
\t-r Randomize remote ports\n\
\t-S Enable the TCP MD5 signature option\n\
- \t-s addr\t Local source address\n\
- \t-T toskeyword\tSet IP Type of Service\n\
+ \t-s source Local source address\n\
+ \t-T keyword TOS value or TLS options\n\
\t-t Answer TELNET negotiation\n\
\t-U Use UNIX domain socket\n\
\t-u UDP mode\n\
\t-V rtable Specify alternate routing table\n\
\t-v Verbose\n\
- \t-w secs\t Timeout for connects and final net reads\n\
+ \t-w timeout Timeout for connects and final net reads\n\
\t-X proto Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
\t-x addr[:port]\tSpecify proxy address and port\n\
\t-z Zero-I/O mode [used for scanning]\n\
@@ -1533,11 +1539,12 @@ void
usage(int ret)
{
fprintf(stderr,
- "usage: nc [-46cDdFhklNnrStUuvz] [-C certfile] [-e name] \n"
- "\t [-I length] [-i interval] [-H hash] [-K keyfile] [-O length]\n"
- "\t [-P proxy_username] [-p source_port] [-R cafile] [-s source]\n"
- "\t [-T tls|toskeyword] [-V rtable] [-w timeout]\n"
- "\t [-X proxy_protocol] [-x proxy_address[:port]]\n"
+ "usage: nc [-46cDdFhklNnrStUuvz] [-C certfile] [-e name] "
+ "[-H hash] [-I length]\n"
+ "\t [-i interval] [-K keyfile] [-O length] [-P proxy_username]\n"
+ "\t [-p source_port] [-R CAfile] [-s source] "
+ "[-T keyword] [-V rtable]\n"
+ "\t [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]]\n"
"\t [destination] [port]\n");
if (ret)
exit(1);